https certificates?

feedback, comments and suggestions pertaining to the *. forums
User avatar
tautology
Posts: 352
Joined: Wed Sep 01, 2010 2:26 pm

Re: https certificates?

Postby tautology » Tue Nov 28, 2017 11:21 pm

I don't want to really get into an argument about this; but you seem to be expecting more from certificate integrity than it was ever designed to do.

The certificate is prove that the server (or optionally the client) is who it says it is i.e. that stardot.org.uk is stardot.org.uk and not stardto.org.uk. Nothing more. It does not say (nor is it every meant to say) that stardot.org.uk is a valid site. This works and protects integrity and, importantly, confidentiality between the client and the requested server.

There was an HTTP header extension (HPKP) to implement key pinning (such as is used on mobile apps) to improve this, but there were implementation issues with the specification so for now it's not recommended.

Applying SSL to a site is simple, quick and (unless you cock it up) secure. DNSSEC does not compete with SSL, it just applies integrity protection to DNS (but no protection for confidentiality). Both can and should be used if possible.

crj
Posts: 328
Joined: Thu May 02, 2013 4:58 pm

Re: https certificates?

Postby crj » Tue Nov 28, 2017 11:43 pm

No, I'm expecting from certification what it was originally intended to provide: reassurance that you're communicating with the entity that has a specific human-comprehensible name. So, for example, it shouldn't be possible for the owners of barclays-bank.co.uk to get a certificate saying they're Barclays Bank.

Even if it's only certifying that the entity rightfully controls a particular hostname, which is already a weakening of the original intent, they ought to be performing some checks beyond making sure they have control over the hostname right now.

You seem to be under the misapprehension that X.509 and TLS are the same thing. (You also seem to be under the misapprehension that SSL wasn't rendered obsolete by TLS eighteen years ago.) I have no problem with TLS. Even X.509, though baroque and error-prone to implement, isn't actually broken and there are several mature libraries. My complaint is at how X.509 certification authorities and browser manufacturers are conducting themselves.

Meanwhile, once you have DNSSEC you can trust responses to DNS queries. That means DNS can be used to distribute public keys for various purposes. In the case of TLS, via DANE.

User avatar
tautology
Posts: 352
Joined: Wed Sep 01, 2010 2:26 pm

Re: https certificates?

Postby tautology » Wed Nov 29, 2017 12:15 am

As you've decided to patronise, I'm not going to respond to you anymore.

User avatar
danielj
Posts: 5364
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester

Re: https certificates?

Postby danielj » Wed Nov 29, 2017 5:47 am

It seems timely to remind people that at the end of each of these posts is another human being, and that a little humility goes a long way. Tone and language are everything on the Internet.

Additionally, what may be "obvious" to one may not be to someone else, and no one has the monopoly on opinion.

User avatar
pau1ie
Posts: 325
Joined: Thu May 10, 2012 9:48 pm
Location: Bedford

Re: https certificates?

Postby pau1ie » Wed Dec 06, 2017 4:06 pm

Thought I would derail this thread even further by linking here: Are EV certificates worth the paper they're written on. Most of this has already been covered, but I found it thoughtful and interesting.
I'm working on http://bbcmicro.co.uk

crj
Posts: 328
Joined: Thu May 02, 2013 4:58 pm

Re: https certificates?

Postby crj » Wed Dec 06, 2017 5:12 pm

OV feels like the most appropriate kind of certificate: it actually gives some assurance of identity beyond "this person was in control of the domain when they applied", but isn't an expensive status symbol like EV. Once upon a time, it was the only kind of certificate one could get.

DV is squeezing it out from below and EV from above. Both of these annoy me in equal measure...

...though not half as much as organisations that redirect you to a payment broker you've never heard of to take your credit card details. If reputable-utility-company.co.uk sends you to my-super-legit-payments.biz that also makes a mockery of things.

Once upon a time I wouldn't touch PayPal with a bargepole. Nowadays, I pay through it in preference to giving out my card details because everything else has become even less secure. *sigh*

sirbod
Posts: 742
Joined: Mon Apr 09, 2012 8:44 am
Location: Essex
Contact:

Re: https certificates?

Postby sirbod » Thu Dec 07, 2017 6:48 pm

crj wrote:Once upon a time I wouldn't touch PayPal with a bargepole. Nowadays, I pay through it in preference to giving out my card details because everything else has become even less secure. *sigh*

PayPal is not an acquirer, they're a merchant. They pass your credit card details onto an acquirer via the Internet, who in turn validate your card details with the issuer via the Internet.

The only difference between PayPal and a smaller merchant is PayPal obfuscate the acquirer authentication by holding your credit card details and passing them in the background, whereas a small merchant will redirect you directly to the acquirer thereby avoiding having to become PCI-DSS compliant themselves.

crj
Posts: 328
Joined: Thu May 02, 2013 4:58 pm

Re: https certificates?

Postby crj » Thu Dec 07, 2017 6:53 pm

That's not the only difference.

The more important differences aren't technical: they're relatively reputable by the standards of the day, and large enough to be accountable to the court of public opinion if they ever screw me over.

User avatar
roland
Posts: 2808
Joined: Thu Aug 29, 2013 8:29 pm
Location: Born (NL)
Contact:

Re: https certificates?

Postby roland » Thu Dec 07, 2017 9:35 pm

danielj wrote:OK - if you want to connect via https, you should now be able to - please let me know if you have any issues!


I'm having an issue:

SchermAfdruk.png


This is on Linux Mint with FF 57.0.1. The error message means something like this:
Error while connecting to stardot.org.uk. SSL received a record that exceeded the maximum allowed length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG
256K + 6502 Inside
MAN WOMAN :shock:

User avatar
danielj
Posts: 5364
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester

Re: https certificates?

Postby danielj » Thu Dec 07, 2017 9:44 pm

I've not re-enabled it as it was allowing access to all the directories in the forum directory structure and I've not had time to work out how prevent that at the moment :(

d.

User avatar
richardtoohey
Posts: 3378
Joined: Thu Dec 29, 2011 5:13 am
Location: Tauranga, New Zealand

Re: https certificates?

Postby richardtoohey » Mon Dec 11, 2017 8:10 am

You might need DirectoryIndex ...

User avatar
danielj
Posts: 5364
Joined: Thu Oct 02, 2008 4:51 pm
Location: Manchester

Re: https certificates?

Postby danielj » Mon Dec 11, 2017 8:26 am

I think you're right. I need a moment to delve back in to the config...

d.


Return to “stardot.org.uk”

Who is online

Users browsing this forum: No registered users and 1 guest